From b45679f122b2ab083653d399144f733abbb23061 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 22 Oct 2020 09:33:11 +0100
Subject: [PATCH] Fix permission denied during Fernet key rotation

During a deploy, if keystone Fernet key rotation happens before the
keystone container starts, the rotation may fail with 'permission
denied'. This happens because config.json for Keystone sets the
permissions for /etc/keystone/fernet-keys.

This change fixes the issue by also setting the permissions for
/etc/keystone/fernet-keys in config.json for keystone-fernet and
keystone-ssh.

Change-Id: I561e4171d14dcaad8a2a9a36ccab84a670daa904
Closes-Bug: #1888512
---
 ansible/roles/keystone/templates/keystone-fernet.json.j2   | 7 +++++++
 ansible/roles/keystone/templates/keystone-ssh.json.j2      | 7 +++++++
 .../notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml  | 7 +++++++
 3 files changed, 21 insertions(+)
 create mode 100644 releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml

diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index 05fa9cda53..72bd4e007e 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -50,5 +50,12 @@
             "owner": "keystone",
             "perm": "0600"
         }{% endif %}
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
     ]
 }
diff --git a/ansible/roles/keystone/templates/keystone-ssh.json.j2 b/ansible/roles/keystone/templates/keystone-ssh.json.j2
index ca016f8223..d2b5edb415 100644
--- a/ansible/roles/keystone/templates/keystone-ssh.json.j2
+++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2
@@ -13,5 +13,12 @@
             "owner": "keystone",
             "perm": "0600"
         }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
     ]
 }
diff --git a/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml b/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
new file mode 100644
index 0000000000..1f73b5db08
--- /dev/null
+++ b/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue where Keystone Fernet key rotation may fail due to
+    permission denied error if the Keystone rotation happens before the
+    Keystone container starts. `LP#1888512
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1888512>`__